Protect Your Online Accounts with 2FA

I met a friend for dinner who found out that some hacker got access to his online accounts. Naturally, he was concerned about identity theft and the amount of time it would take to fix the problem. One way to reduce the risk of account breaches is to use something called “two-factor authentication” or 2FA with your smartphone. The process is easier than you think.

What is Two Factor Authentication (2FA)?

The name two-factor authentication sounds complex to a lot of computer users. Chances are you’ve already used it in some capacity but didn’t know it by that name. You might also hear it called “multi-factor authentication.”

Basically, it means that before you can get access to some service, you need to have 2 items. These two factor authentication examples could include:

Authentication TypesExamples
Something you knowaccount name, password
Something in your possessionsecurity key, application, code
Some physical attributefingerprint, facial recognition

When you think of getting cash from your bank ATM, you’re using a similar process. You have to have both your bank card and your PIN. The online world can work similarly.

Instead of just relying on an account name and password, you can add a second protection level before people get access. This is important when you think of how many times you hear of security problems from large companies. It’s more important to use the same account name and password on multiple sites like my friend.

You might be thinking that 2FA is fine, but you don’t have any services that use it. You probably do, but many sites hide this security feature. Here are some you might know:

  • Google
  • Amazon
  • Facebook
  • Apple
  • eBay
  • Cloudflare
  • Dropbox
  • PayPal
  • Evernote
  • Epic Games
  • Xero

Most of the above companies are household names, but there are smaller players too. One good way to find additional 2FA sites is to go to

Josh Davis, an Amazon engineer, started this 2FA directory site. The site provides many ways to find sites that use two-factor authentication and additional information. The site is straightforward to use and presents the information in a nice grid.

Searchable 2FA site directory
  1. There is a search bar at the top where you can enter a service name. As you start typing, the site will show possible matches.
  2. You can also filter by category. In my example, I’m using the Backup and Sync category.
  3. Any alerts or exceptions about the company or service.
  4. A link to that company’s documentation on 2FA.
  5. An indication of what authentication types the company uses. You’ll also note that you can send a tweet to the company asking them to support 2FA.

Getting Started with an Authenticator App

There are many methods you can use for two-factor authentication. Perhaps, the best- known service is Google Authenticator. Most sites that show a check in the Software Token column in the image above should work.

The way these apps work is to provide a one-time password (OTP) that you use to log in to a service in addition to your regular password.

For example, when I use Cloudflare, I sign in as normal with my account name and password. But right after I hit the Login button, I’m greeted with the dialog below.

Cloudflare two-factor authentication dialog.Pin
Cloudflare prompt for 2FA code

At this point, I switch to my phone’s 2FA app and get a one-time password.

Using Google’s Authenticator

To use 2FA, you will need to install an app on your mobile phone.

  1. Install the Google app from your appropriate store. Both Google and Apple have versions.
  2. Using Josh’s 2 Factor Auth list site, find one of your service instructions. Some websites have a separate security section where you may see the activation settings.
  3. Navigate to the service page and look for a QR Code. You will scan this code with your phone or tablet.
Service with QR code to activate 2FA.Pin
Scan the service’s QR Code
  1. Google Authenticator will add your service to your phone and provide a one-time password (OTP).In the picture below, my password is 274944. I need to enter this code into the confirmation box before it expires. The small circle represents how much of my 30 seconds are remaining. A new code is generated after that.
Google Authenticator app one-time password and timer.Pin
Example of One-Time Password
  1. Enter the code from your app into the service’s Confirm Auth Code box. Your service may use different terminology such as “second-factor token'” etc.
  2. Your account is now configured to 2FA. From now on, each time you log into your service, you will be prompted to enter a new code from your app.

Other 2FA Application Services

There are several alternatives in case you don’t like Google. They all work similarly in that they generate a time-based one-time password (TOTP) on a mobile device. These include:

For example, I prefer Authy. While sites typically reference “Google Authenticator,” you can use Authy instead.

My suggestion is to visit each of these apps to see which one will suit your needs. There are subtle differences, such as Authy doesn’t have a circle clock to indicate time but uses a bar at the top. LastPass Authenticator can bypass codes and uses Approve or Deny buttons. And Microsoft’s version allows you to also store passwords.

Hardware Authentication Devices

While many people like the convenience of having a 2FA application on their phone, there are other options. If you’re an old PayPal user, you may remember they offered a small gray football shaped device. When you pressed it, a RSA code was generated that you entered. Many companies had these RSA tokens as well to give to remote workers access to their networks.

A newer addition are hardware keys, such as those made by Yubico or Google’s Titan Security key. These generally work with a USB port or a NFC enabled phone. The device is slipped into an available USB port on your computer. In the case of phones, you would be in range of the phone. The devices come in a range of sizes, but are small. Some people prefer to keep theirs on a keyring.

Caveats & Warnings

Although 2FA is more secure, it’s not bulletproof. This is especially true with SMS. While this is better than nothing, SMS is not as secure as you might think.

There have been some reports where these text messages were intercepted. Wired magazine had a nice article on this that you might want to read.

Another downside is that you may not be able to transfer your 2FA information when you get a new phone. The setup process doesn’t take a lot of time, but sometimes you need to take additional steps with the provider to remove the previous setup.

As much as I like 2FA, I have to admit some aspects that can “bite you in the butt.” For example, earlier, I had to do a factory reset of my cell phone, which had Google Authenticator. So I knew I needed to download the app again and go through the setup process. (Google has fixed this issue.)

What I didn’t realize was that some of the services I use had terrible fallback procedures. Most services will have a backup method so you can get back to your account. The typical means include an SMS code or a stored list of private codes that you enter into the app. However, some services tell you to call customer support. In one case, my provider wanted a notarized letter.

Before you do a factory reset on your cell phone or get a new one, my suggestion is to double-check your services. Where possible, get a copy of the one-time codes you’ll need or set up SMS.

These one-time codes are not the same as one-time passwords, although the concept is similar. These one-time codes are usually alphanumeric and stay active until you use them to log into your service. They don’t expire after 30 seconds. The codes can use them in cases where you don’t have your phone. The downside is you need to place them someplace safe that you can access.

If you have a provider that doesn’t have a fallback method, I’d suggest deactivating the service until you get the phone working. While it’s OK to keep hackers away, it’s exceedingly frustrating when you’re the one locked out.

Although it takes time to set up 2FA with all your services, it’s worth the additional effort. You don’t have to add all of them at once. Start by adding the services that pose the greatest risk. Then, get used to how the login process works and add more accounts as you get more comfortable.